Author: Maverisk

Is DevSecOps a thing yet?
Maybe. It is out there. With a laudable purpose (here), that however is not very well reflected elsewhere (on that site). When one refers to Krav Maga (as here), is one unaware that thing is known mostly if not exclusively in a few hardcore infosec circles and not many place else ..?

As said: laudable. But let’s stick to the DevOps (+ ‘Agile’ dev ..!) world to embrace sec. May I add a want for inclusion of audit hooks ..? [At procedural levels, too]

Meanwhile, NL ‘suffers’ from a bad winter dip:

How long will it take, until driving is not (only) of the ‘auto’ kind [if I’m in a self-driving car – the very definition of the term ‘automobile’ – I will be the one driving; I will be the only one with a Self], but some industry can return to its technology testbed front ..?

Seriously; at what point will teams in the sport decide their drivers do more damage than good ..? This is just the beginning of course. From data driven to driven by data.

At what earlier point, will ‘self-driving’ cars be allowed to enter the races? At first, they’ll be at the back, driving too carefully. Then, some move up the field, driving a human off course at every stupid decision. #disqualified. Then, they move into the lead. Not fair, with their superhuman responses! Or … at what point will ramdon obstacles appear on track, to throw off the auto’s and profit from human responses (still) and this being sold as the way in which the software may leran to deal with real-life driving conditions?

Has anyone ever done a study into this ..? If you’ve seen something, say something: yes I’d like to hear from you.

Bonus:

[Not your average trophee; Musée Lalique, Wingen-sur-Moder]

To the surprise of no-one – who took care to not listen to mediahumping ‘pundit’fakes –, AI seems to be coming into the Bashing phase. That’s not in the Hype Cycle as despite its name and (‘cycle’-)implied continuity, only has two phases but three points. But you get it, the Bashing phase is the downward slope. Now so declared by me.
And it’s where AI now gets into. E.g., Dutchpersons read here. And you can read anywhere, actually. Bashing i.e. calling quits to the hype and mirroring in anti-hype.

But just because attention takes a nose dive, doesn’t mean ‘nothing’ happens anymore, and ‘nothing’ is or will be successful. On the contrary; despite the hype (sic) being unsustainable not because there’s no value but because that’s how hypes work, we will now get into the undercurrent development phase where, without much notice, AI systems will enter production in a most unsusceptible way, everywhere. “The impact of new technology is overestimated for the short run, but underestimated for the long run” goes here more than ever (well…) before. Point being; all the books you read [I take it that you did, otherwise you might as well not take part in the discussion b/c we too don’t like you to be found out to be an empty vessel] don’t project the changes they have (mostly not so benign, as here (of 2016 already) and many other deep dives) to be realised in a couple of years even. Which in these times would already be ‘long run’ maybe. How ‘many’ years did the iPod/iPhone (..!), or Fubbuck, or Alphabet, etc., take to break through and grab everyone’s attention and enslavement in data/profile shackles?

Until AI is mainstream again, having crowded out all other ‘solutions’ to problems you didn’t even know you have today. Then, it’ll be unstoppable. See the litt.
[Not Louis – also not at DunLewis I mean Ludwigsburg:]

In the headlights. After this expose about systemic failure, there’s now a ‘since the allegations were on shaky grounds, they are untrue case closed’. (this rabbit in the headlights response, in Duts)
How close to proven incompetence can one get ..?

And this:

[The dots were connected here by boys cried wolf but hey, shaky allegations]

Further to yesterday’s post, here’s some sidelines on ‘control’s.

Where typical ‘ORM’ would take risks one by one, and treat them all in the same fashion. Take one risk, see what you can do qua preventative controls, and then .. a long time of bickering and arguing until some arm twisting leads to hap-hazard (sic) implementation of something that could in some weird way be explained to be the intended control so it only just can’t be denied to be, gets implemented till the auditors go away. Onto the next risk. In rare circumstances, already ‘implemented’ controls are also taken into the analysis (sheer quod non) and very maybe some form of interlocking effectiveness is considered. No more than the latter. Costs … no, it’s all about cost avoidance, the cost of unnecessary write-offs and hey what’s the cost of just sticking to some uniformised procedures right? The cost of potentially missed business because the business processes will be so straight-jacketed that clients go away is too hard to establish hence don’t bother.
The result: a gigantic heap of ‘control’s of which the effectiveness … isn’t.

Where typical ‘ORM’ would also take a portfolio approach of actual losses due to mishaps as in the books. Without regard for the secondary causes of controls not being effective (except the most glaring breaches of agreed (not!) upon procedures) and having incurred costs (hinder, sometimes severe, to execution; missed customers) that don’t match with any savings in avoided wrongs, and having no regard for near misses (where, oh joy, write-offs are indeed avoided). Where sheer luck or ignorance towards the unknown misses is in no way excluded, or rather, taken as a sign of being ‘in control’. Procedure macht frei.

Trying to fix this by doing an organisation-wide analysis and establishing the sum total mesh of ‘control’s, may only work in the smallest of situations where eyeballs Mark I work better. Other situations … hopelessly beyond the level of complexity that any humans can handle; technical shortcoming of brains – the presence of good examples of which already is an untenable assumption when looking at the manager class of your organisation.
Result: Yet again, 3LoD is a systemic failure. And heat maps, the same.

Solution: Radical ‘first-line’ risk management. I.e., doing management by its definition of decision making under uncertainty – which is so opposite to all the above circuses that assume total control can be had, with the ideal even of zero remainder risks… If you believe that, why not do the data collection with the fairies? But there is a future in risk management: Inclusion of uncertainty in how plans will play out, when drafting them and taking decisions about them…

To Be Continued. And there’s also:

[(Parador de) Cardona, nicely defended against – nothing anymore]

On the one hand there’s the discussions regarding the oh so much needed renewal of ‘risk management’. Trying to drop the ‘heat map’ nonsense and the 3LoD sameness.
On the other, there’s infosec trying to first get rid of all the ‘cyber’ bs (#ditchcyber) and second trying to achieve something against all grains.
On the third hand [like, here], apart from the need to integrate there’s …

A thought about probability. Classical rm talks about risks as a chance of something happening that may impact some objectives
– Of the business kind or not;
– Of the business as a whole or your local ones;
– Either positively xor (only) negatively.

But never ever is there any thought given to the formulation of the chance in time.
When there’s a 10% chance of something going wrong, do you mean tomorrow, next year, or next couple of nanosecondes or what?
Is the chance distributed uniformly over time? How do you take into account probability changes when ‘it’ happens to you tomorrow, or to a competitor, or technology changes, or your (infosec) budget changes [allowing for better mitigation or not – or is that uncorrelated with how you spend ..? think that one through]?

Does your analysis take into account that some mishaps will happen to you as well (or the chance wouldn’t be above absolute zero!) at some point in time; meaning that a. there’s certainty it will happen, b. there’s a chance it will be you that’s hit this time, c. your only real uncertainty is when. Note that b. does include an uncertainty when you don’t define ‘time’ as an interval. Oh and there’s a d. too, being that once you’re hit, it may or may not happen again within that time interval, partially depending on whether you fixed the vulnerability right or not. [Will go study the Weibull distribution now (k>1 and λ=1), and maybe sigmoid distributions.]

And how severe the impact will be, is also quite a grey area of course. Over n dimensions, not just one € amount onto which the dimensions may be projected but then, projection is loss of an enormous kind when it comes to declarative insights let alone normative sames.

Case in point:
The dikes in NL will be breached by a flood, of a one-in-a-ten-thousand-years magnitude. Which may be tomorrow. And next week. Or only after 9.017 years, 2 months and 23 days. Or only after 19.237 years.
But the dikes are still maintained quite well.
Now discuss how global warming may impact these estimates. And how these estimates came about. ‘one-in-a-ten-thousand-years’ …!?

Next up: a discussion on how ‘Operational Risk Management’ misses the mark (among a great many) by not differentiating between actual losses, near misses, and preventative versus detective/corrective controls in a balance with the costs associated with all these.

But first:

[Water conserved, so near the water; Baltimore]

Hey, just when I tinkered with the idea of updating an old post on open source quality, some solution came ’round the corner [Duts link].

Your thoughts. I’m off celebrating my b’day. Cheers,

[Not there, unfortunately. Farolim das Felgueiras.]

Or, stop the “kill chain” nonsense.

Whether it’s the Lockheed original, or the great (in numbers…) many variants since, they are all quite flawed. Let’s say, 99% flawed.
Since a. it’s not a chain – it’s a mesh, haphazrd(sic)ly followed through the organisation, and b. it has nothing to do with ‘kill’ – only the most idiotic n00b would pursue that.

Qua b.,
first there is this, later expanded here;
and second there is all the evidence from practice. What stupid would ‘kill’ if future rewards could be had at zero cost once a breach-and-backdoor has been made available and (as almost always is the case – APTs, anyone? – yes they still are out there, undetected yet!) available for future use i.e. value extraction not ‘kill’ ..?

Oh yes third there is nation-state-cum-coaxed-Bad-groups ‘cyber”warfare’ (#ditchcyber) but that’s outside of the scope of just about anyone, since even there, one’s weapons are probably deployed already in ‘the field’ (re APT, again) or not at all to prevent detection. In which latter case there is no such thing as a chain employed, it’s just future-impact. As if one talks about the ‘kill chain’ of a Daisy Cutter being its doings after it touches the ground.
And no, if you think you’d have to worry about nation-states trying to brick your infra, a. they will no matter how strong your defenses, b. they do already (re APT, again), c. what did you have the idea to do about it? Even the pro’s may not save you… [uhm, this goes in a lot of places/nations ..!]

Oh well, blue pills everywhere.
[Edited to add: this.]
And this:

[Once useful for beautiful Ávila]

Or should be … About this, being that the Dutch army has been uncapable, in this case of recruiting sufficient staff for its ‘cyber’ force. #ditchcyber, I’d say.
And, the House questions… a diversion. Who expects serious answers that address the root causes ..? Now there’s one for ‘no-one’.

So, root – or any intermediate – causes not being addressed even in the discussions, who expects the problem to not get worse, much worse, before failure can be placed on … others? There’s a second one.
Is there anyone out there that would be able to list, off the cuff, a set of (root/-) causes?
Like,

• Budget. Probably, the ‘experts’ sollicited will encounter ‘serious’ premiums over common rank income brackets, to be as high as… maybe even 20%! W00t! That amounts to still a full 30% of commercial income easily attainable. Certainly for the expertise and experience levels sought. Is there anyone who seriously believes that at such, relative, kindergarten rates any other one would want to work …:
• Military command structures and career paths one would have to work within. Meh.
• Means. One will work at the bleeding edge of development of allsorts. Does one get this, or the real thing ..? [Hey that’s our wedding song but that’s something else.] The latter being what one wants … but then would not be allowed b/c it doesn’t go well with the official standards and ordnung muss sein so the toys you need, you will not get. You will get … yesteryears’ / yesterdecades’ stuff. Thinks ’30s Dutch army / air force quality. Or Polish cavalry taking on Tigers with lancers on horseback. All’s fair in war, heroism wins not the day or glory just defeat. Certainly the next one, that will be as remote from mano al mano as one can get.

Case in point: The already-should’ve-been-mundane art of drone airforcing. Does the publick know whether the Dutch Airforce has such a thing, at what size and capabilities, or where and how they’re stationed [some data may vary, after that post of so long ago, but not the essence]? Most probably, the above will trail a decade or more. When the current RNLAF is still exceeding expectations whenever and wherever deployed (also due to these), this may not be the case next time around…

But hey, there’s still:

[Duts Nayvee in Baltimore harbour or is it]

Oh darn, I’ll be off updating those awfully many handfuls of hot tubs of mine … Since this.
Even when still waiting for delivery of some of these.

By way of wishing you a Happy New Year…

[Yes it’s a sun dial, too ..! Barça]